Fast algorithm for theShortest Vector Problem

er

(joint with Aggarwal, Dadush, andStephens-Davidowitz)

Oded RegevCourant Institute, NYU

UC Irvine, Sloan conference 2015/09/02

est

• A lattice is a set of points

L={a1v1+…+anvn| ai integers}

for some linearly independentvectors v1,…,vn in Rn

• We call v1,…,vn a basis of L

Lattices

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

• Geometric objects with rich mathematical structure

• Considerable mathematical interest, starting fromearly work by Lagrange 1770, Gauss 1801, Hermite1850, and Minkowski 1896.

History

• SVP: Given a lattice, find the shortest vector

• Best known algorithm runs in time 2O(n)

[AjtaiKumarSivakumar01,…]

• No better quantum algorithm known

Shortest Vector Problem (SVP)

0

v2

v1

Basis is not Unique

0

v2

v1

v1’

v2’

Even Rotations of Zn seem hard!

7

• An efficient algorithm that outputs a “somewhat short”vector in a lattice

• Applications include:• Solving integer programs in a fixed dimension,

• Factoring polynomials over rationals,

• Finding integer relations:

• Attacking knapsack-based cryptosystems [LagariasOdlyzko’85] andvariants of RSA [Håstad’85, Coppersmith’01]

The LLL Algorithm[LenstraLenstraLovász82]

5.709975946676696… =?

4+35

8

Lattices and Cryptography• Lattices can also be used to create cryptography

• This started with a breakthrough of Ajtai in 1996

• Cryptography based on lattices has manyadvantages compared with ‘traditional’cryptography like RSA:– It has strong, mathematically proven, security

– It is resistant to quantum computers

– In some cases, it is much faster

– It can do more: fully homomorphic encryption!

9

• Private key: a random odd integer s

• Public key: a list of random multiples of s plus a smallpositive even random number

• Encrypt 0: add random set of half of them

• Encrypt 1: same, but add 1

• Decrypt: compute remainder under division by s andcheck if it’s odd

A Really Simple Public Key Cryptosystem[Ajtai-Dwork 1997, Cohen 2000, R03, Levieil-Naccache 2008]

100198100, 65073, 191197,…

289298

Progress on provable SVP algsTime Space

[Kan86]

[AKS01]

[NV08, PS09,MV10a]…

[MV10b] Det

This work

Discrete Gaussian Distribution

Discrete Gaussian Distribution

If we can obtain discrete Gaussiansamples for small enough s, we can

solve SVP

Obtaining discrete Gaussian samples

• It is easy to obtain samples for large s [GPV08]• Our goal: take samples of width s and output

samples with smaller width, say, s/2• Then we can simply repeat

• Naïve attempt: given x output x/2• Problem: x/2 is not in the lattice!

• Second naïve attempt: only take x in 2L, and thenoutput x/2• Correct output distribution, but we keep only 2-n

of the samples

Obtaining discrete Gaussian samples

• A better attempt: partition the samples accordingto their coset of 2L

• Then take two samples from a coset and outputtheir average• Notice that if x,y are in the same coset of 2L,then x+y is in 2L, and so (x+y)/2 is in L

• Intuitively, since x and y are Gaussian with s, thenx+y is Gaussian with 2·s, and (x+y)/2 is Gaussianwith s/2

• But is it distributed correctly?

Input Distribution

Output Distribution

Red=evenYellow=oddOrange=desired

Obtaining discrete Gaussian samples

• It turns out that by taking “even” with probabilityp2

even and “odd” with probability p2odd , we get

exactly the discrete Gaussian distribution• Proof by picture in the one-dimensional case:

Even

Odd

Square Sampling• Summary so far:

• Bucket the samples into 2n buckets, based on their coset of 2L

• Then pick a bucket with probability proportional to square of itsprobability, and output (x+y)/2 for two vectors in the bucket

• For this we use a “square sampling” procedure:given samples from a distribution (p1,…,pN), outputsamples from the distribution (p1

2,…,pN2)/∑pi

2

• We do this using rejection sampling• The loss rate is ∑pi

2/pmax

• Total loss is 2n/2 due to magic!

Summary• In time 2n we are able to sample from the discrete

Gaussian distribution (of any radius)• This implies a 2n time algorithm for SVP• Recent work by my coauthors: also CVP in 2n !

• A close inspection of our algorithm shows that 2n/2

should be the right answer• So far we are only able to achieve that abovesmoothing• This implies 2n/2 algorithm for O(1)-GapSVP• Puzzle: given coin with unknown headsprobability p; output a coin with probability p